Penetration testing

The penetration test prevents economic and reputational losses by testing or building effective information protection for the company.

The test detects and checks for vulnerabilities in the system that could have occurred due to software and hardware errors, incorrect settings, operational flaws and more. Also, testing allows you to clearly demonstrate the relevance of the identified vulnerabilities and the significance of potential damage to the company.

Initialization

Stage results:● A working group has been formed and approved● Defined and approved scope and parameters of testing, possible risks and limitations, work schedule, communications regulations

Data collection from open sources (passive information gathering)

Stage results:A non-interactive study of infrastructure to be tested has been performed. Information on this infrastructure was collected and systematized from open sources. Preparation for the stage of active information gathering has been completed .

Active information gathering

Instrumental analysis of security of the outer perimeter over the range of IP addresses: ● Identify resources
● Identify vulnerabilities
● Vulnerability analysis
● Access (vulnerability check)

Analysis of results and report development

Stage results:Documented report containing identified vulnerabilities, results and evidence of vulnerability testing, as well as recommendations for risk management related to identified vulnerabilities.

Demonstration and discussion of test results

Stage results:Documented report containing identified vulnerabilities, results and evidence of vulnerability testing, as well as risk management recommendations related to identified vulnerabilities.

EXTERNAL AND INTERNAL PENETRATION TESTING

Testing simulates actions of an attacker who has access to the company's internal network, and reveals how much a potential attacker could harm the IT infrastructure.

● Collect all test scope information using OSINT (Open Source Intelligence) methods ● Use of automated information collection systems, scanners, invasive intelligence methods ● Simulation of the violator's activities with tools for exploiting vulnerabilities (exploits), attack techniques and other actions ● Increasing privileges, identifying the possibility of expanding the surface of the attack, gaining access to other users' data, fixing in the system ● Report containing direct safety assessment, risk and vulnerability assessments, recommendations for their elimination

Open Source Security Testing Methodology Manual

A high-level methodology for testing security systems, developed and maintained by the consortium "Institute for Security and Open Methodologies". The project uses this methodology as a basis for planning and coordinating work, as well as for reporting on project results.

Penetration Testing Execution Standard

A methodology developed by a team of penetration testing, security audit and social engineering experts. The methodology complements OSSTMM during project planning and coordination, and is used at the stage of non-automated search and analysis of vulnerabilities of IT systems in the scope of the test.

Technical Guide to Information Security Testing and Assessment

Methodology of instrumental security testing of IT systems, mandatory for use in US Federal Agencies. This methodology is used at the stage of automated search and analysis of vulnerabilities of IT systems in the field of testing, as well as during the possible simulation of attacks using the identified vulnerabilities.